RANGER-5215 : Policy authroisation fails for Ranger Plugins in case of users/groups converted by Ranger userysnc as per given Regex #584
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dhavalshah9131
requested review from
Copilot,
mneethiraj,
pradeepagrawal8184,
bhavikpatel9977,
kumaab,
spolavarpau1,
mehulbparikh and
dineshkumar-yadav
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
kumaab
reviewed
Jun 5, 2025
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
Outdated
Show resolved
Hide resolved
kumaab
reviewed
Jun 5, 2025
ugsync-util/src/test/java/org/apache/ranger/ugsynutil/transform/TestRegEx.java
Show resolved
Hide resolved
kumaab
reviewed
Jun 5, 2025
agents-common/src/main/java/org/apache/ranger/plugin/model/UgsyncNameTransformRules.java
Outdated
Show resolved
Hide resolved
rameeshm
reviewed
Jun 6, 2025
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Outdated
Show resolved
Hide resolved
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Outdated
Show resolved
Hide resolved
…f users/groups converted by Ranger userysnc as per given Regex
…f users/groups converted by Ranger userysnc as per given Regex
dhavalshah9131
force-pushed
the
ds_RANGER-5215_us
branch
from
6d46c54 to
be624fb
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR addresses the issue where Ranger plugins fail authorization due to differences in user/group name formatting between the source (e.g., LDAP/AD) and the Ranger Admin database. The changes introduce a shared utility (ugsync-util) and corresponding configuration constants to apply consistent name transformations on the plugin side. Key changes include:
- Updating various plugin assembly XML files to include the ugsync-util dependency.
- Enhancing the RangerDefaultRequestProcessor and RangerBasePlugin to apply case conversion and regex-based name transformations using a new Mapper instance.
- Adding new constants and a model (UgsyncNameTransformRules) to support the name transformation configuration.
Reviewed Changes
Copilot reviewed 41 out of 41 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| distro/src/main/assembly/*.xml | Added for ugsync-util in several plugin and agent assembly definitions. |
| agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java | Updated to copy service configuration including new name transformation settings. |
| agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java | Added new constants for name transformation configuration. |
| agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java | Added logic to perform user and group name transformation based on config settings. |
| agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java | Introduced configuration loading for name transformation and Mapper instantiation. |
| agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java | Added getters and setters for transformation Mapper and case conversion strings. |
| agents-common/src/main/java/org/apache/ranger/plugin/model/UgsyncNameTransformRules.java | New model to encapsulate name transformation rules. |
| agents-common/pom.xml | Added dependency on ugsync-util with necessary exclusions. |
Comments suppressed due to low confidence (2)
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java:1288
- Consider using getDeclaredConstructor().newInstance() instead of newInstance() for instantiating the Mapper, to follow modern Java instantiation practices.
Mapper userNameRegExInst = regExClass.newInstance();
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java:1308
- Consider using getDeclaredConstructor().newInstance() instead of newInstance() for instantiating the Mapper, to follow modern Java instantiation practices.
Mapper groupNameRegExInst = regExClass.newInstance();
…f users/groups converted by Ranger userysnc as per given Regex
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
Problem Statement:
Currently, when Ranger Usersync is configured with case conversion and special character replacement using regex, it transforms the original user/group names from the source (e.g., AD/LDAP) before storing them in the Ranger Admin database.
Example:
Original name in LDAP/AD: John-jacobs
Usersync configuration:
Issue:
If a Ranger plugin (e.g., Hive) uses the original name John-jacobs during authorization checks, it fails because Ranger Admin only recognizes the transformed name john_jacobs.
Error Example:
Permission denied: user [John-jacobs] does not have [SELECT] privilege on [vehicle/cars/*]
Solution:
To ensure consistency, the same transformation logic used by Usersync must also be applied on the plugin side before authorization. This transformation should be made available as a utility library packaged with the plugins.
Configurability:
This feature must be configurable at the plugin level via a property (e.g., ranger.plugin..supports.name.transformation), allowing users to enable or disable it based on their environment needs.
In ranger-admin-site.xml
ranger.plugins.ldap.username.caseconversion
ranger.plugins.ldap.groupname.caseconversion
ranger.plugins.mapping.username.handler
ranger.plugins.mapping.groupname.handler
ranger.plugins.mapping.regex.separator
ranger.plugins.mapping.username.regex
ranger.plugins.mapping.groupname.regex
How was this patch tested?
(Please explain how this patch was tested. Ex: unit tests, manual tests)
1.) Build successful with unit test.
2.) Manul testing